How to Encrypt your Windows 7 Hard Disk with BitLocker

Encrypt your Windows 7 boot drive with BitLocker.

BYTE -- Sad but true. Your IT guy has to enable BitLocker in Windows 7 before you can use this excellent encryption tool. So talk IT into it. I've included instructions at the end of this piece in case you need to help them out a bit.

Once it is enabled, it's time to get going with encrypting your drive. First, find Bitlocker on your PC Windows 7 system drive. Right click on the drive and select Turn on BitLocker.

BitLocker will scan your system to make sure the setup process can proceed. It might inform you that a new system drive will be created from free space on drive C. This is where BitLocker stores its boot-time components . After this is done, reboot.

Next, configure the decryption key. Just plug in a USB drive with the decryption key on it at boot time. Or supply a PIN at startup for additional security.

When you select Require a Startup Key, the system will prompt you to insert a USB flash drive. This will store the decryption key. It'll also prompt you to save a separate copy of the recovery key, which you should save to decrypt the drive in the event the Startup key ever gets damaged or goes missing.

TIP: Don't save the recovery key to the same place as your Startup key. It's like putting your house and car keys on same ring. Not smart.

Before starting the encryption process, BitLocker will offer to run a system check. This ensures the Startup key is readable at boot time and that decryption works. The whole process shouldn’t take more than a couple of minutes, and I strongly recommend you take it up on its offer.

Note: When your system boots with the Startup key plugged in, a message that says Remove disks or other media could pop up. If it does, press any key to restart.

CAUTION: Do not remove the startup key when you see this message. If you take the key out at this time, the startup check will fail and you’ll have to begin again from a much earlier step. So just press a key and continue the boot process.

Once the startup check succeeds, BitLocker will begin encrypting the system drive in the background. The encryption process could take several hours. During this time the computer will still be usable -- and in fact even be suspended, shut down or restarted.

That said, the system will be slower respond while it encrypts the system drive. Don’t expect to get a great deal done at this time.

If you double-click on the tray icon for BitLocker, you can see a progress window for the encryption process.

Drives encrypted by BitLocker will have a lock icon. Note that only the system drive has been protected. Notice the other drives in this system, which are for such auxiliary user data as downloads, are not encrypted. You'll have to encrypt them manually.

Remember, BitLocker is included in most versions of Windows, but not in home versions. You'll have to seek another solution, like TrueCrypt.

Enjoy your newly secure boot drive.

As promised at the beginning, your system administrator will have enable BitLocker in Windows. Here's a guide you can show them to help them figure that out.

FOR ADMINISTRATORS: If you've got BitLocker up and visible on your system drive, just jump ahead to the configure process. Launch gpedit.msc by typing that command in the Start Menu’s Search box and pressing Enter.

Double-click on Require additional authentication at startup and select Enabled. Then check this: Allow BitLocker without a compatible TPM. The other options should each be set to Allow. Click OK and close the Group Policy Editor.

Based in New York, Serdar Yegululp is managing editor of reviews at BYTE. Follow him @syegulalp or email him at Serdar.Yepululp@BYTE.com.